Re: What are the known security of IIS with WebDav??

---

• From: David Wang <w3.4you@xxxxxxxxx>
• Date: Wed, 18 Jul 2007 02:29:24 -0000

---

On Jul 17, 5:44 am, WilliamVeldhuizen.@.somewhere.com wrote:

We have plans for implement WebDav in our Web-application and
therefore i am searching some information about WebDav on the IIS
platform.

Our internet hosting provider tells about some security problems with
WebDav and they are wary for hosting WebDav. Unfortunately, they can't
tell me the exact problems.

Does anyone knowns security issues/problems of IIS (6.0 or 7.0) with
WebDav?

IIS7 does not (yet) have WebDAV support. It is being completely
rewritten for IIS7 because of underlying architectural changes.

To date, there is one known security issue involving WebDAV and IIS6.
However, it is hardly a security issue/problem of IIS6 because it is
actually a vulnerability within MSXML, which happens to be used by
WebDAV and exposed to the Internet via IIS. Sure, it is a
"vulnerability involving IIS", but it is hardly unique to IIS (i.e.
you can exploit it in any other way that MSXML gets invoked).

Personally, I think your internet hosting provider just doesn't want
to do any work to support you and is randomly blaming it on
"security". Since its release in 2003, IIS6 has proven to be highly
secure. One can count the number of IIS6 related security issues with
a few fingers on one hand (for example, see: http://secunia.com/product/1438/?task=statistics
), and the issues are relatively minor:
- cookie mishandling of = - return ASP error page detailing ASP file
location
- WebDAV exposure of MSXML - Denial of service by MSXML
- ASP buffer overflow -- which sounds bad until one realizes that IIS
runs ASP with an unprivileged process identity.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

.

---

• References:
  • What are the known security of IIS with WebDav??
    • From: WilliamVeldhuizen .

• Prev by Date: What are the known security of IIS with WebDav??
• Next by Date: SSL - Problem connecting WebService by IP number
• Previous by thread: What are the known security of IIS with WebDav??
• Next by thread: SSL - Problem connecting WebService by IP number
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: HOW TO IIS -Security ... After Disabling this it works better, ... IIS security just past it across. ... c)Do you have WebDAV enabled in the Web Service Extensions list? ... (microsoft.public.inetserver.iis.security) Re: HOW TO IIS -Security ... How do you know there is no security? ... c)Do you have WebDAV enabled in the Web Service Extensions list? ... Open IIS Manager. ... There is a node called "Web Service Extensions". ... (microsoft.public.inetserver.iis.security) Re: HOW TO IIS -Security ... there is the book I mentioned (it covers IIS security) ... IIS security just past it across. ... c)Do you have WebDAV enabled in the Web Service Extensions list? ... There is a node called "Web Service Extensions". ... (microsoft.public.inetserver.iis.security) What are the known security of IIS with WebDav?? ... therefore i am searching some information about WebDav on the IIS ... Our internet hosting provider tells about some security problems with ... (microsoft.public.inetserver.iis.security) Re: Mac Server Hacked In Less Than 6 Hours ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ... (sci.crypt)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)